CVE-2022-3401

{"id": "CVE-2022-3401", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-10-28T19:15:09.240", "references": [{"url": "https://bricksbuilder.io/", "tags": ["Product", "Vendor Advisory"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3401", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution."}, {"lang": "es", "value": "El tema Bricks para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo debido a que permite a los editores de sitios incluir bloques de c\u00f3digo ejecutables en el contenido del sitio web en las versiones 1.2 a 1.5.3. Esto, combinado con la vulnerabilidad de autorizaci\u00f3n faltante (CVE-2022-3400), hace posible que atacantes autenticados con permisos m\u00ednimos, como un suscriptor, puedan editar cualquier p\u00e1gina, publicaci\u00f3n o plantilla en el sitio web vulnerable de WordPress e inyectar un c\u00f3digo de ejecuci\u00f3n. bloque que se puede utilizar para lograr la ejecuci\u00f3n remota de c\u00f3digo."}], "lastModified": "2023-11-07T03:51:12.753", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bricksbuilder:bricks:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "C101AEC7-1AA2-4E3C-9E49-C2F7349643B8", "versionEndExcluding": "1.5.4", "versionStartIncluding": "1.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}